02-20-2024 11:21 AM - edited 02-20-2024 11:30 AM
I have a ASA 5506-X version 9.8(2). The ASA has two interfaces: g1/1 (outside, ip: 209.165.0.2/30), and g1/3 (inside, ip: 209.165.0.5/30).
g1/1 is connected to a 881-W router (Router-A), whose ip is 209.165.0.1/30. Router-A's internal interface is 192.168.0.1/24.
g1/3 is connected to a 2821 router (Router-B), whose ip is 209.165.0.6/30. Router-B's internal interface is 10.0.0.1/24.
This is what the topology looks like: (Note that I have an actual physical lab, I just diagrammed it in Packet Tracer so that it's easier to visualize. Also the model numbers on the Packet Tracer diagram do not correspond with the actual physical models)
Below are my additional configurations:
881-W's routes:
ip route 209.165.0.4 255.255.255.252 vlan 2 <------------ (I would like to test if a directly connected route can result in a successful ping. If I change this to a next hop route (ip route 209.165.0.4 255.255.255.252 209.165.0.2), ping is successful. But as of now, ping is unsuccessful if I use the directly connected route.)
ip route 10.0.0.0 255.255.255.0 209.165.0.2
2821's routes:
ip route 192.168.0.0 255.255.255.0 209.165.0.5
ip route 209.165.0.0 255.255.255.252 209.165.0.5
ASA's routes and ACL:
route outside 192.168.0.0 255.255.255.0 209.165.0.1
route inside 10.0.0.0 255.255.255.0 209.165.0.6
access-list PERMIT extended permit ip any any
access-group PERMIT in interface outside
access-group PERMIT in interface inside
access-group PERMIT out interface outside
access-group PERMIT out interface inside
I added arp permit-nonconnected on the ASA, but pinging from 192.168.0.1 to 10.0.0.1 does not work. Why?
debug arp on ASA outputs:
arp-in: request at outside from 209.165.0.1 588d.09a4.f3cc for 10.0.0.1 0000.0000.0000 having smac 588d.09a4.f3cc dmac ffff.ffff.ffff
arp-set: added arp outside 209.165.0.1 588d.09a4.f3cc and updating NPs at 19:52:01.599
Shouldn't it work even if the source (209.165.0.1) and destination address (10.0.0.1) of the ARP packet are in different subnets, since I configured arp permit-nonconnected?
Thanks for the help!
02-20-2024 11:29 AM
To ping
1-You need two static route in ASA
2-You need one static route in each router
MHM
02-20-2024 01:03 PM
I already had these routes configured:
881-W's routes:
ip route 209.165.0.4 255.255.255.252 vlan 2
ip route 10.0.0.0 255.255.255.0 209.165.0.2
2821's routes:
ip route 192.168.0.0 255.255.255.0 209.165.0.5
ip route 209.165.0.0 255.255.255.252 209.165.0.5
ASA's routes and ACL:
route outside 192.168.0.0 255.255.255.0 209.165.0.1
route inside 10.0.0.0 255.255.255.0 209.165.0.6
But pinging doesn't work. Are these the necessary routes or am I mistaken? Thanks!
02-20-2024 01:13 PM
From any pc traceroute to other one
Share the reuslt here
MHM
02-20-2024 01:59 PM
02-20-2024 03:11 PM
The traffic stop in router
Use in both router static route but use egress interface not next-hop
MHM
02-20-2024 07:52 PM
I changed the routes to use egress interface. Ping is still unsuccessful:
881-W router:
ip route 10.0.0.0 255.255.255.0 Vlan2
ip route 209.165.0.4 255.255.255.252 Vlan2
2821 router:
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/0
ip route 209.165.0.0 255.255.255.252 GigabitEthernet0/0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide